Open a Support Case My Support Cases
Welcome
Login  Sign up

2.F CoreView's Use of Administrative Credentials

I. Overview

During the sign-up process, you will be prompted to supply the User Principle Name of an Office 365 account that has been granted the Tenant Admin role in Office 365 and where that account does not have MFA active. This account is used temporarily by CoreView during the initial part of the sign-up process to connect with your Office 365 tenant and to initialize the creation of your CoreView Tenant.  The administrative credentials you provide during the sign-up are not stored or retained by CoreView.  


The administrative account used by the CoreView sign-up process does not need to be assigned an Office 365 license and can be a cloud-only account, such as ima_admin@acme.onmicrosoft.com.  Moreover, this account will have view-only permissions to your Office 365 tenant's data and it cannot be used to perform changes in the system.  


During the SignUp process consent to following apps is asked: 


Mandatory Apps:

  • CoreView Registration App: this is a temporary app used CoreView Registration App: this is a temporary app used for service accounts creation and can be removed from tenant immediately after signup process.
    • Azure Active Directory Graph (3)
      • Sign in and read user profile – used to perform SSO from Azure AD to CoreView platform
      • Read and write all users' full profiles – used to create Service Accounts on Azure AD
      • Read and write all directory RBAC settings – used to assign Global Reader role to our Service Accounts
  • CoreView API Integration:
    • Azure Active Directory Graph (2)
      • Read directory data: allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
      • Sign in and read user profile: allows users to sign into the app with their work or school accounts and allows the app to see basic user profile information.
    • Microsoft Graph (28)
      • Read all access reviews: allows the app to read access reviews on behalf of the signed-in user.
      • Read all administrative units: allows the app to read administrative units and administrative unit membership without a signed-in user.
      • Read all applications: allows the app to read applications and service principals on behalf of the signed-in user.
      • Read all audit log data: allows the app to read and query your audit log activities, without a signed-in user.
      • Read all BitLocker keys: allows an app to read BitLocker keys for all devices, without a signed-in user. Allows read of the recovery key.
      • Read contacts in all mailboxes: allows the app to read all contacts in all mailboxes without a signed-in user.
      • Read Microsoft Intune apps: allows the app to read the properties, group assignments and status of apps, app configurations and app protection policies managed by Microsoft Intune, without a signed-in user.
      • Read Microsoft Intune device configuration and policies: allows the app to read properties of Microsoft Intune-managed device configuration and device compliance policies and their assignment to groups, without a signed-in user.
      • Read Microsoft Intune devices: allows the app to read the properties of devices managed by Microsoft Intune, without a signed-in user.
      • Read Microsoft Intune RBAC settings: allows the app to read the properties relating to the Microsoft Intune Role-Based Access Control (RBAC) settings, without a signed-in user.
      • Read Microsoft Intune configuration: allows the app to read Microsoft Intune service properties including device enrollment and third party service connection configuration, without a signed-in user.
      • Read directory data: allows the app to read data in your organization's directory, such as users, groups and apps, without a signed-in user.
      • View users' email address: allows the app to read your users' primary email address
      • Read all groups: allows the app to read group properties and memberships, and read the calendar and conversations for all groups, without a signed-in user.
      • Read all group memberships: allows the app to read memberships and basic group properties for all groups without a signed-in user.
      • Read all identity risk event information: allows the app to read the identity risk event information for your organization without a signed in user.
      • Read all identity risky user information: allows the app to read the identity risky user information for your organization without a signed in user.
      • Read all identity user flows: allows the app to read your organization's user flows, without a signed-in user.
      • Read all user mailbox settings: allows the app to read user's mailbox settings without a signed-in user. Does not include permission to send mail.
      • Read all hidden memberships: allows the app to read the memberships of hidden groups and administrative units without a signed-in user.
      • Read organization information: allows the app to read the organization and related resources, without a signed-in user. Related resources include things like subscribed skus and tenant branding information.
      • Read all usage reports: allows an app to read all service usage reports without a signed-in user. Services that provide usage reports include Office 365 and Azure Active Directory.
      • Read all directory RBAC settings: allows the app to read the role-based access control (RBAC) settings for your company's directory, without a signed-in user. This includes reading directory role templates, directory roles and memberships.
      • Read your organization's security actions: allows the app to read security actions, without a signed-in user.
      • Read your organization’s security events: allows the app to read your organization’s security events without a signed-in user.
      • Read all users' teamwork activity feed: allows the app to read all users' teamwork activity feed, without a signed-in user.
      • Read all users' installed Teams apps: allows the app to read the Teams apps that are installed for any user, without a signed-in user. Does not give the ability to read application-specific settings.
      • Read all users' full profiles: allows the app to read user profiles without a signed in user.
    • Office 365 Management APIs (3)
      • Read activity data for your organization: allows the application to read activity data for your organization.
      • Read DLP policy events including detected sensitive data: allows the application to read DLP policy events, including detected sensitive data, for your organization.
      • Read service health information for your organization: allows the application to read service health information for your organization.

Optional steps:

  • CoreView SharePoint Integration – API permissions: this app is used to retrieve additional details and security information from SharePoint and OneDrive, in particular OneDrive owners.
    • Azure Active Directory Graph (2)
      • Sign in and read user profile
    • SharePoint (1)
      • Have full control of all site collections
  • CoreView Recipient Permissions role on Exchange: this is a custom role with Get-RecipientPermission permission, which is required to retrieve SendAs permission on mailboxes during the import process. A PowerShell script is provided and can be executed on your tenant using an Exchange PowerShell session, opened with an Exchange Admin.

Important Notes:

  • All app and service accounts operations (create, update, delete) are performed system to system without human intervention
  • MFA should be enabled on all our service accounts following instructions on our Knowledge Base for the datacenter chosen for your tenant: How to Configure Allowed IP Addresses for CoreView Service Accounts
  • Customers can choose to remove part of the consent, CoreView will create an adhoc scripts to meet required list. Please be aware that this will impact the quantity and quality of data imported.

Additional Notes:

for more information on Microsoft rights please refer to:

The initial service accounts created by CoreView are exclusively used to only gather data from the environment

and are not enabled to perform management changes within your environment. CoreView system users do not

require Office 365 licensing and are used only during this import procedure.

They are members of a CoreView group with Global Reader only permissions on tenant and cannot be used to

perform changes in the system.

The CoreView Role has the following assigned roles on Office 365:

  • Global Reader
  • CoreView Recipient Permissions (optional)


---

Published: 02/12/2018

Updated: 09/11/2020


Did you find it helpful? Yes No

Send feedback
Sorry we couldn't be helpful. Help us improve this article with your feedback.